Local file read via XSS
0 net
Local File Read via XSS in Dynamically Generated PDF Skip to main content Share Get link Facebook X Pinterest Email Other Apps November 08, 2017 Local File Read via XSS in Dynamically Generated PDF REDIRECTING TO THE NEW BLOG ... Hello Hunters, This time I am writing about a Vulnerability found in another private program(xyz.com) on Bugcrowd which at first I thought wasn't much harmful(P4) but later escalated it to a P1. While browsing the Application I came across an endpoint which allowed us to download some kind of Payment Statements as PDF. The URL looked like this https://xyz.com/payments/downloadStatements?Id=b9bc3d&utrnumber=xyz&date=2017-08-11&settlement_type=all&advice_id=undefined I saw that the Value of utr number is reflected inside the PDF file that got downloaded so I wrote some HTML in utrnumber parameter as ">aaa https://xyz.com/payments/downloadStatements?Id=b9bc3d& utrnumber = ">aaa &date=2017-08-11&settlement_type=all&advice_id=undefined Upon opening this PDF I found that the HTML was rendered and could be seen in PDF. This kind of vulnerability usually leads to XSS but this time it was inside a PDF which was being generated dynamically. If you want to learn more about XSS then I advise to checkout this great intro on XSS: https://www.aptive.co.uk/blog/xss-cross-site-scripting/ I tried if I could use an iframe and load internal domains in the frame or if I could iframe file:///etc/passwd but none of the tricks worked! also, I wasn't able to iframe external domains. https://xyz.com/payments/downloadStatements?Id=b9bc3d& utrnumber = "> &date=2017-08-11&settlement_type=all&advice_id=undefined But, from now I didn't know if I could go further because I wasn't sure if javascript could be executed like this in PDF.So after playing around a lot I found that we could execute javascript with the help of DOM Manipulation 
https://xyz.com/payments/downloadStatements?Id=b9bc3d& utrnumber = &date=2017-08-11&settlement_type=all&advice_id=undefined after this I checked the window.location of where this javascript is executed and to my surprise it was executing in file:// origin on the Server https://xyz.com/payments/downloadStatements?Id=b9bc3d& utrnumber = &date=2017-08-11&settlement_type=all&advice_id=undefined Now since its executing on file://, I tried if we could access file:///etc/passwd via XHR(XMLHttpRequest), I wasn't sure myself. https://xyz.com/payments/downloadStatements?Id=b9bc3d&utrnumber= &date=2017-08-11&settlement_type=all&advice_id=undefined and then you know ;) so That was it, XSS in Server Side Generated PDFs to Local File Read! However, it took :P me some time to figure this You could see the number of PDFs I had to download: ./peace Rahul Maini Share Get link Facebook X Pinterest Email Other Apps Comments Unknown 8 November 2017 at 04:32 bhai kaise <3 Reply Delete Replies Reply Aryan Rupala 8 November 2017 at 08:40 Great Find! Reply Delete Replies Reply intx0x80 8 November 2017 at 12:40 Nice shot Reply Delete Replies Reply muthu 9 November 2017 at 01:42 Nice Bro.. :) Reply Delete Replies Reply Harsh Jaiswal 14 November 2017 at 04:47 Very nice Bro :) Reply Delete Replies Reply Rohan 15 November 2017 at 04:26 Nicely done! Reply Delete Replies Reply Unknown 29 November 2017 at 09:14 Nice, I use this today in an engagement. Awesome finding Reply Delete Replies Unknown 29 November 2017 at 09:15 Does this lead to probably ssrf too? Delete Replies Reply Rahul Maini 29 November 2017 at 10:48 Thanks :) Actually yea it leads to a SSRF but since it was executing under file:/// , and I don't may be thats why I wasn't able to load/iframe any of the http:// origin but should work in other cases like you might check this awesome blogpost by @bbuerhaus https://buer.haus/2017/06/29/escalating-xss-in-phantomjs-image-rendering-to-ssrflocal-file-read/ Delete Replies Reply Unknown 16 January 2018 at 01:08 hi i found same case and there is ssrf and server downloads file from my http server. But problem is that i am not able to exploit LFI Delete Replies Reply Reply Unknown 18 March 2018 at 02:29 need ur help can i contact u Reply Delete Replies Reply dghdh 2 May 2018 at 08:15 Great find! Reply Delete Replies Reply Sadiq West 20 January 2019 at 23:56 Great finding Reply Delete Replies Reply Nino Nurmadi , S.Kom 25 June 2019 at 04:05 Sharp Advan Metro Lampung Panasonic pulsa lampung Lampung Lampung Reply Delete Replies Reply All Information 29 September 2019 at 21:39 Nice article airtel recharge list Reply Delete Replies Reply Brandon William 22 January 2020 at 10:58 The person merely uploads the picture that they need transformed and the net picture converter renders the picture and makes it accessible for obtain. Like all picture vectorizer applications, they range in high quality, pace, options and price. If you want to learn more about this topic please visit onlineconvertfree.com Reply Delete Replies Reply Unknown 3 June 2020 at 21:39 here from HTB, thanks a lot! Reply Delete Replies Reply egyption 5 June 2020 at 13:55 i need the pdf file Reply Delete Replies Reply Skofos 11 July 2020 at 01:17 This comment has been removed by the author. Reply Delete Replies Reply bugbountyhuntingonline 14 October 2020 at 01:15 j.aadithya techusa is #1: vapt services in usa https://www.algotradeusa.com/ Reply Delete Replies Reply Lorriel Sims 1 February 2021 at 07:52 Cross-site scripting attacks, often abbreviated as XSS, are a type of attack in http://casitabuilderlasvegas.com/ Reply Delete Replies Reply Huongkv 28 February 2021 at 23:06 Đặt vé máy bay tại đại lý Aivivu, tham khảo Ve may bay di My mua vé máy bay từ mỹ về vn giá vé máy bay đà nẵng đi nha trang bảng giá vé máy bay đi phú quốc vé máy bay đi Huế pacific airline Reply Delete Replies Reply technology 22 March 2021 at 05:55 A self-hosted WordPress site gives you the opportunity to earn more and become a successful Internet marketer. Take the first step today by getting a beginner WordPress course. best course to learn R programming Reply Delete Replies Reply Add comment Load more... Post a Comment Popular Posts December 07, 2019 Spilling Local Files via XXE When HTTP OOB Fails Share Get link Facebook X Pinterest Email Other Apps 3 comments Rahul Maini Application Security Engineer and a Bug Bounty Hunter currently active on Bugcrowd. Interested in learning Binary Exploitation and Reverse Engineering! Follow me @iamnoooob Visit profile Archive December 2019 1 July 2019 1 July 2018 1 November 2017 1 September 2017 1 Report Abuse
aa
https://xyz.com/payments/downloadStatements?Id=b9bc3d& utrnumber =aa
&date=2017-08-11&settlement_type=all&advice_id=undefined and Upon downloading PDF I found that it contained the "aaaa" :D also sometime later, I found that I could also use document.write() function to show results more easily.